Cross-Origin Resource Sharing
Configure CORS to prevent unauthorized browser requests.
[cors]
allow_credentials = false
allow_origins = "https://app.grafbase.com"
max_age = "60s"
allow_methods = ["GET", "POST"]
allow_headers = "Content-Type"
expose_headers = ["Access-Control-Allow-Origin"]
allow_private_network = false
allow_credentials
: Enables or disables credential sending. Defaults tofalse
.allow_origins
: Allowed domains, one or multiple domains in a list. A Glob pattern can also be used. To accept any domain, use"*"
. Defaults to no domains if CORS is enabled.max_age
(duration): Duration for caching preflightOPTIONS
request results. Default: none.allow_methods
: One or multiple allowed HTTP methods. To accept any method, use"*"
. Defaults to none if CORS is enabled.allow_headers
: One or multiple allowed headers. To accept any header, use"*"
. Defaults to no headers if CORS is enabled.expose_headers
: Headers a preflight request can return to the client. Default: no headers if CORS is enabled.allow_private_network
: Allows private network requests. Defaults tofalse
.
The supported glob patterns for allow_origins
are:
*
matches zero or more characters.?
matches any single character.[ab]
matches one of the characters contained in the brackets. Use[!ab]
to match any character excepta
andb
.{p1,p2}
matches either patternp1
orp2
.
For example *.example.com
will match all sub-domains of example.com
.